The Essential Addons for Elementor WordPress plugin, with over a million users recently patched multiple vulnerabilities that could have allowed malicious attackers to run arbitrary code on a targeted WordPress website.
LFI to RCE Attack Vulnerability
According to the U.S. Government NIST website, vulnerabilities on the Essential Addons for Elementor plugin made it possible for an attacker to launch a a Local File Inclusion attack, which is an exploit that allows an attacker to cause a WordPress installation to reveal sensitive information and read arbitrary files.
From there the attack could lead to a more serious attack called a Remote Code Execution (RCE). Remote Code Execution is a highly serious form of attack in which a hacker is able to run arbitrary code on a WordPress site and cause a range of damage, including a full site takeover.
As an example, a Local File Inclusion attack can be accomplished by changing the URL parameters to something that could reveal sensitive information.
This was made possible because the Essential Addons for Elementor WordPress plugin did not properly validate and sanitize data.
Data Sanitization is a process for limiting the kind of information that is possible to be input. In simple terms, data sanitization can be thought of as a lock that allows only a specific input, a key with a specific pattern. A failure to perform data sanitization could be analogous to a lock that allows any key to open it.
According to the United States Government National Vulnerability Database:
“The Essential Addons for Elementor WordPress plugin before 5.0.5 does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbitrary files on the server, this could also lead to RCE via user uploaded files or other LFI to RCE techniques.”
Security site WPScan who were the ones to discover first discover and report the vulnerability published the following description:
“The plugin does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbitrary files on the server, this could also lead to RCE via user uploaded files or other LFI to RCE techniques.”
Essential Addons for Elementor Patched
The vulnerability was announced on the National Vulnerability Database site on February 1, 2022.
But the “Lite” version Essential Addons for Elementor plugin has been patching vulnerabilities since the end of January, according to the Essential Addons Lite changelog.
A changelog is a software log of all changes made for each version that is updated. It is a record of everything that was changed.
Curiously, the changelog for the Pro version does only mentions “Few minor bug fixes and improvements” but makes zero mention of the security fixes.
Screenshot of Essential Addons For Elementor Pro Changelog
Why is the security fix information missing from the Pro version of the WordPress plugin?
Changelog for the Lite version of Essential Addons for Elementor Lite Plugin
The changelog for the Lite version covering versions 5.0.3 to 5.0.5 were updated from January 25 – 28, 2022 to fix the following issues:
- Fixed: Parameter sanitization in dynamic widgets
- Improved: Sanitized template file paths for Security Enhancement
- Improved: Enhanced Security to prevent inclusion of unwanted file form remote server through ajax request
The changelog notes that today on February 2, 2022 the following security enhancement was performed for version 5.0.6:
- Improved: Data sanitization, validation & escaping for Security Enhancement
What is the Safest Version of Essential Addons for Elementor Plugin?
The U.S. Government Vulnerability Database has not assigned a severity score, so it’s unclear at this time how bad the vulnerability is.
However, a remote code execution vulnerability is particularly concerning so it’s probably a good idea to update to the very latest version of the Essential Addons plugin.
The WPScan website states that the vulnerabilities were fixed in Essential Addons for Elementor Plugin version 5.0.5.
However the plugin changelog for the Lite version of the plugin states that version 5.0.6 fixes an additional data sanitization issue today, on February 22, 2022.
So it may be prudent to update to at least version 5.0.6.
Citations
Read the WPScan Vulnerability Report
Essential Addons for Elementor < 5.0.5 – Unauthenticated LFI
Read the United States Government Report on the Vulnerability
Read the Essential Addons for Elementor Plugin Lite Changelog
Essential Addons for Elementor Lite Plugin Changelog
Read the Changelog for Essential Addons for Elementor Pro
Essential Addons for Elementor Pro Changelog